The errata list is a list of errors and their corrections that were found after the product was released.
The following errata were submitted by our customers and have not yet been approved or disproved by the author or editor. They solely represent the opinion of the customer.
| Version |
Location |
Description |
Submitted by |
Date submitted |
| Printed |
Page online
9.8.3 |
I am not sure whether I understand this correctly, but here is my comment in any case:
In the sample given to allow users to access WWW servers:
# Rule seems unneccesary - already included in iptables -P FORWARD DROP
iptables -A FORWARD -m tcp -p tcp -s 0/0 --sport 80 -d 172.16.1.0/24 --syn -j DROP
# Connections coming from the local side are made from a high, unknown port number, not 80 - otherwise only root would have been ab
le to browse.
iptables -A FORWARD -m tcp -p tcp -s 172.16.1.0/24 --sport 80 -d 0/0 -j ACCEPT
# Again -s 0/0 is redundant. --dport should be --sport
iptables -A FORWARD -m tcp -p tcp -d 172.16.1.0/24 --dport 80 -s 0/0 -j ACCEPT
{Chapter 15} The book says:
"Alan Cox first developed IPX support for the Linux kernel in 1985"
I believe the Linux Kernel (version 0.01) was released sometime around
1991. Perhaps the date should be 1995 instead of 1985.
[online version] http://www.linuxdoc.org/LDP/nag2/x15291.html#AEN15394;
Regarding the example:
friends@cybermail.com REJECT
aol.com REJECT
207.46.131.30 REJECT
postmaster@aol.com OK
linux.org.au RELAY
It states that: The next rule would accept email from postmaster@aol.com
despite the fact that the domain itself has a reject rule.
This is not true. As long as aol.com is listed as REJECT, emails from
postmaster@aol.com will be rejected, because host checking is done in
check_relay ruleset, while MAIL address checking is done in check_mail
ruleset. Failing either ruleset will lead to denied access.
[http://www.linuxdoc.org/LDP/nag2/x-087-2-resolv.howdnsworks.html#X-087-2-
RESOLV.DNS.LOOKUPS]
There is a reference to non-existent picture:
http://www.linuxdoc.org/LDP/nag2/OREILLY.BIND.DIAGRAM.gif.
in my opinion this should be:
http://www.linuxdoc.org/LDP/nag2/lag2_0801.jpg instead.
[chapter 6] I have read online on the Linux Documentation Project site.
In chapter 6, How DNS Works, Reverse Lookups, it is written that concerning
in-addr.arpa system zones "An even more severe restriction is that these
networks' netmasks have to be on byte boundaries.[...] However, if the
netmask were 255.255.255.128 instead, creating zones for the subnet
149.76.12.128 would be impossible, because there's no way to tell DNS that
the 12.76.149.in-addr.arpa domain has been split into two zones of
authority[...]"
I believe that's not true and that you can delegate such zones using :
0-29.12.76.149.in-addr.arpa and 128-29.12.76.149.in-addr.arpa to register
the NS for both zones in the parent DNS ("-29" stands for 29 bits in the
address mask).
The domain I belong to works this way.
{chapter 6} last paragrapah of section 6.2.4;
this has already been reported as a serious technical mistake; i believe it
is actually only a minor technical mistake. this is regarding delegation of
reverse lookup zones. the book says more-or-less-correctly that split
delegation within a byte is not possible. (i.e.) reverse lookup delegation
has to be for the whole 256 ip addresses in a block as a zone. however,
there is a well known kludge that can be used to accomplish this type of
split delegation. though an example is given by the previous errata report,
vital details are missing and the explanation given is wrong. i quote from
the previous errata report.
"I believe that's not true and that you can delegate such zones using
:0-29.12.76.149.in-addr.arpa and 128-29.12.76.149.in-addr.arpa to register
the NS for both zones in the parent DNS ("-29" stands for 29 bits in the
address mask). The domain I belong to works this way."
A better description of the kludge is as follows:
|
Anonymous |
|
| Printed |
Page 1
'pseudo' zones are created under the parent zone (that needs to be |
split delegated) as needed
|
Anonymous |
|
| Printed |
Page 2
instead of usual "ptr" entries, the parent zone server has cname |
entries pointing to entries within this pseudo zone (in an agreed upon
manner)
|
Anonymous |
|
| Printed |
Page 3
the pseudo zones are delegated as needed to the servers that are to |
provide the split-reverse lookup service
|
Anonymous |
|
| Printed |
Page 4
the delegated server for the pseudo zone has ptr entries connecting the |
entries in the pseudo zone to the corresponding hostnames.
in the above example, the parent zone is 12.76.149.in-addr.arpa and the two
'pseudo' zones are named 0-29 and 128-29 (in my case, the pseudo zones are
not numbers but names that indicate the organization/entity that is using
that particular range of ip addresses; the name of these pseudo zones is of
course arbitrary). then, the authoritative server for the parent zone
delegates these 'pseudo zones' to the name server that is going to provide
the split reverse lookups. instead of ptr entries, this parent
authoritative server has cname entries for each of the ip addresses in this
range mapping to some corresponding names in the pseudo zone. as an
example, the reverse lookup file might say
25.12.76.149.in-addr.arpa in cname 25.0-29.12.46.129.in-addr.arpa
instead of the ususal in ptr entry pointing to the hostname corresponding
to the ip address of 129.46.12.25 (say, euler.foobar.org). in the above, i
have assumed the (obvious) agreed upon manner of using the last byte of the
ip address (25) as the handle. now the zone 0-29.12.46.129.in-addr.arpa is
delegated to an appropriate server; this server, in the zone file for this
zone has the in ptr entry like so:
25.0-29.12.46.129.in-addr.arpa in ptr euler.foobar.org
where euler.foobar.org is the hostname corresponding to the address
149.76.12.25. please note that i have used loose syntax. in reality, the
entries in the files can be much shorter through the use of appropriate
$origin directives. the only visible artifact of this is that the reverse
lookup always shows an alias containing the handle used in the pseudo zone.
|
Anonymous |
|
| Printed |
Page 17
Second paragraph, last sentence |
"...both upper- and lowercase numbers..."
Should be:
"...both upper- and lowercase letters...".
|
Anonymous |
|
| Printed |
Page 22
table 2-1 |
The ends of the class B and class C address ranges for private
networks should be 172.31.255.255 and 192.168.255.255, respectively.
They are incorrectly listed in the 11/00 reprint as 172.31.0.0 and
192.168.255.0, respectively.
|
Anonymous |
|
| Printed |
Page 26
Figure 2-2 |
Hi. In the diagram of subnetting, you have the FDDI address of the "sophos" gateway
as "1.1". Since this is going onto the FFDI backbone, I believe it should be "1.4".
It is correct for the gateways "niels" (1.12) and "gcc1" (1.2). If I'm wrong, it just
shows why I bought the book!
|
Anonymous |
|
| Printed |
Page 35
Kernel Configuration - 2nd paragraph |
"Think of it as a right of passage"
should read
"Think of it as a rite of passage".
|
Anonymous |
|
| Printed |
Page 60
In the following text |
"Example 4-6 shows a very simple mgetty configuration file. This example
configures two serial devices. The first, /dev/ttyS0, supports a
Hayes-compatible modem at 38,400 bps. The second, /dev/ttyS0, supports a
directly connected VT100 terminal at 19,200 bps."
the second reference to /dev/ttyS0 should read /dev/ttyS1.
So the last sentence should read:
"The first, /dev/ttyS0, supports a Hayes-compatible modem at 38,400 bps.
The second, /dev/ttyS1, supports a directly connected VT100 terminal at
19,200 bps."
|
Anonymous |
|
| Printed |
Page 77
Second sentence of footnote |
read:
"and STMP worlds...."
should read:
"and SMTP worlds...."
|
Anonymous |
|
| Printed |
Page 83
5th paragraph under Checking the ARP Tables |
#arp -a
the last line where the book indicates it is the address of vlager 172.16.2.4 which is not according to the /etc/hosts file in page 68, I am assuming this IP address should be 172.16.1.1
|
Anonymous |
|
| Printed |
Page 140
Second paragraph, third sentence |
"...the left-most bit corresponds to ASCII 32...."
should be
"...the left-most bit corresponds to ASCII 31...."
|
Anonymous |
|
| Printed |
Page 150
Second to last paragraph |
The example shows a holdoff of 10 minutes but the text of the
paragraph says the holdoff is 5 minutes.
|
Anonymous |
|
| Printed |
Page 155
In the listing of IP filtering criteria |
The second item is:x
* Socket number ( for TCP/UPD )
It should be:
* Socket number ( for TCP/UDP )
change UPD to UDP( User Datagram Protocol )
|
Anonymous |
|
| Printed |
Page 173
In the next to last paragraph |
The text uses the wrong option when describing how to invoke verbose
form. Instead of -u, it should be -v.
|
Anonymous |
|
| Printed |
Page 174
4th paragraph, example of ipchains commands |
The discussion of the sample code doesn't make sense to me unless there is a missing line like:
ipchains -A input -p icmp -j ACCEPT
The line would be the sixth line of the sample.
[188-190; sec 9.9 online] "TOS Bit Manipulation"
I don't have a physical copy of the book, so I'm referencing the location via the
section (9.9 --- TOS Bit Manipulation). It's also not so much a "mistake" as much as
being significantly overtaken by events.
TOS bits were obsoleted by RFC 2474, in December of 1998. (So this part of the book
was out-of-date at the time when it was published). The real problem though is that
lowest two bits of the TOS byte were claimed for use by the ECN by RFC 2481,
published in January 1999, and supported by the Linux 2.4 kernel.
TOS bits are commonly in used by large parts of the Linux community, in particular
0x10 (for high throughput/interactive traffic) and 0x08 (for bulk traffic), which is
set by ssh/scp automatically. So recommending that the TOS bits be used is not
necessarily bad, since there doesn't seem to be any other recommended code points for
the differentiated services code points that are in common use.
However, the problem comes when this section recommends the use of TOS value 0x02,
for "minimum cost" for the NNTP and SMTP protocols. This is REALLY BAD, since the
two low bits are now reserved by the ECN protocol, and in particular, 0x02 is the the
"ECN Capable Transport" bit, and advertises that the host supports the ECN protocol.
Falsely setting this bit may cause routers to try to assume that the host can support
ECN when it can't --- and may result in routers penalizing the hosts that claim to
support ECN when they don't.
|
Anonymous |
|
| Printed |
Page 198
Error in two firewall rules |
Two rules have "deny", "DENY", these should be "DROP":
# We want to deny incoming access by default
$IPTABLES -P FORWARD deny
should be
# We want to deny incoming access by default
$IPTABLES -P FORWARD DROP
and
# SMURF
# Disallow ICMP to our broadcast address to prevent "Smurf" style attack.
$IPTABLES -A FORWARD -m multiport -p icmp -i $ANYDEV -d $OURNET -j DENY
should be
# SMURF
# Disallow ICMP to our broadcast address to prevent "Smurf" style attack.
$IPTABLES -A FORWARD -m multiport -p icmp -i $ANYDEV -d $OURNET -j DROP
|
Anonymous |
|
| Printed |
Page 204
1st paragraph |
"TCB-based"
should be:
"TCP-based"
|
Anonymous |
|
| Printed |
Page 207
In the last paragraph of section "Accounting by Protocol", |
first sentence:
IMCP
should be:
ICMP
|
Anonymous |
|
| Printed |
Page 328
2nd paragraph |
The sendmail.df file should be sendmail.cf.
|
Anonymous |
|
| Printed |
Page 345
1st paragraph of section "The Real-time Blackhole List" |
MAPS is the Mail Abuse Prevention System, not the Mail Abuse
Protection System.
|
Anonymous |
|
| Printed |
Page 375
figure 20-1 |
the host gargleblaster.com is misspelled as garglebaster.com.
|
Anonymous |
|
| Printed |
Page 381
In the first set of commands (toward the bottom of the page) |
The sed line has a low-mark string of 00001 but the following text has
a low-mark string of 000001. Either way, I would have expected the
string to be 0000000001. Does it matter?
|
Anonymous |
|
| Printed |
Page 416
In the fourth paragraph |
the keyword should be mta, not organization. organization was
described in the preceding paragraph.
|
Anonymous |
|